Search This Blog

Cyberspies Drop New Infostealer Malware on Govt Networks in Asia

The current campaign appears to be almost exclusively focused on government or public entities in Asia.

 

Security researchers have discovered new cyber-espionage activity targeting Asian governments, as well as state-owned aerospace and defence companies, telecom companies, and IT organisations.
The threat group behind this action is a different cluster earlier associated with the "ShadowPad" RAT (remote access trojan) (remote access trojan). In recent campaigns, the threat actor used a much broader set of tools.

As per a report by Symantec's Threat Hunter team that dives into the activity, the intelligence-gathering attacks have been underway since at least early 2021 and are still ongoing. The current campaign appears to be almost entirely focused on Asian governments or public entities, such as:
  • Head of government/Prime Minister's office
  • Government institutions linked to finance
  • Government-owned aerospace and defense companies
  • State-owned telecoms companies
  • State-owned IT organizations
  • State-owned media companies
Symantec uses an example of an April 2022 attack to demonstrate how the espionage group breaches its government targets. The attack starts with the installation of a malicious DLL that is side-loaded by launching the executable of a legitimate application in order to load a.dat file.

The legitimate application abused by the hackers, in this case, was an 11-year-old Bitdefender Crash Handler executable. The initial.dat payload contains encrypted shellcode that can be used to directly execute commands or additional payloads from memory.

The threat actors installed ProcDump three days after gaining backdoor access to steal user credentials from the Local Security Authority Server Service (LSASS). The LadonGo penetration testing framework was side-loaded via DLL hijacking on the same day and used for network reconnaissance.

The attackers returned to the compromised machine two weeks later to install Mimikatz, a popular credential stealing tool.
Furthermore, the hackers attempted to elevate their privileges by exploiting CVE-2020-1472 (Netlogon) against two computers on the same network.

To load payloads on additional computers in the network, the attackers used PsExec to execute Crash Handler and the DLL order hijacking trick. A month after the intrusion, the threat actors gained access to the active directory server and mounted a snapshot to access user credentials and log files.

Finally, Symantec observed the use of Fscan to attempt CVE-2021-26855 (Proxylogon) exploitation against Exchange Servers in the compromised network.
Share it:

Cyber Spy

Data

Government

Hackers

malware

Network

Researchers

Safety

Security